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ABSTRACT. We introduce a truncated addition operation on pairs of N-bit binary numbers that interpo- 
lates between ordinary addition mod 2 N and bitwise addition in (Z/2Z) N . We use truncated addition to 
analyze hash functions that are built from the bit operations add, rotate, and xor, such as Blake, Skein, 
and Cubehash. Any ARX algorithm can be approximated by replacing ordinary addition with truncated 
addition, and we define a metric on such algorithms which we call the sensitivity. This metric measures 
the smallest approximation agreeing with the full algorithm a statistically useful portion of the time (we 
use 0.1%). Because truncated addition greatly reduces the complexity of the non-linear operation in ARX 
algorithms, the approximated algorithms are more susceptible to both collision and pre-image attacks, and 
we outline a potential collision attack explicitly. We particularize some of these observations to the Skein 
hash function. 
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This paper is concerned with a family of hash algorithms that are defined in terms of addition mod 2 
j> \ (denoted +), bitwise rotation, and exclusive or (denoted ©) which is equivalent to bitwise addition mod 

OO ■ 2. Such algorithms are referred to as ARX algorithms. 

The non-linearity of ARX algorithms over (Z,/2Z) N relies exclusively on the addition mod 2 N com- 
t^j- | ponent. As in base 10, we can perform addition on each digit and keep a carry value for each position 

^ ■ to record overflows. In base 2, we will observe that carrying occurs frequently and so the addition-with- 

O carrying operation is indeed highly non-linear and we note that computers are designed to compute this 

CO ; type of non-linearity efficiently. 

In this work, we replace ordinary addition mod 2 N with a series of approximations that converge to 
actual addition. These approximations arise from truncating the number of carry values that we record. 
The zeroth approximation is addition with no carries which corresponds to the exclusive-or operation. 
The first approximation is bitwise addition plus a single carry term for each bit; namely, we look back 
a single bit for carry terms and do not "carry our carries." The second approximation involves looking 
back two bits for carry information, and so on. The surprising fact is that for 64-bit binary numbers, 
the fourth approximation and the actual sum coincide a statistically useful percentage of the time. The 
eighth approximation coincides with ordinary addition more than 90 percent of the time. 

In light of this, it is natural to consider replacing instances of ordinary addition in an ARX algorithm 
by the simpler truncated addition operation. We describe a polynomial encoding for hash algorithms 
that can in principle be used to find collisions and preimages for the algorithm with truncated addition. 
Although neither attack is currently practical, we show that replacing ordinary addition by truncated 
addition dramatically reduces the degree of these polynomials, which should facilitate their analysis. 
When collisions exist in the version using truncated addition and the algorithm using truncated addition 
agrees with the usual algorithm sufficiently often, then one obtains collisions in the full algorithm with a 
significant nonzero probability. 

We also use this setting to describe a new metric that measures the strength of ARX hash algorithms. 
This metric can be described as the number of carry bits that must be used before we can find cases where 
the full algorithm and its approximation using truncated addition agree a statistically useful percent of the 

l 



2 



REBECCA E. FIELD AND BRANT C. JONES 



time. We measure this using a computer implementation of the algorithm and a random search through 
10 million inputs. This metric is found to agree with the popular wisdom, based on factors such as the 
speed of hashing, that Cubehashl60+16/32+160-256 is stronger than the ARX algorithms that were final 
round candidates for the SHA-3 competition. This algorithm requires 13 bits of carrying before matches 
can be found. In contrast, we were able to find 29 cases of agreement per 10,000 random inputs using 
only 9 bits of carrying for the algorithm Skein. This means that it suffices to attack the 9-truncated 
approximation rather than the full addition version of Skein as its approximation coincides a sufficient 
percent of the time. 

The main technique in this paper, replacing addition with truncated addition, has been used as part of 
cryptographic attacks in the past. In [5], a series of approximations for the hash algorithm Salsa20/8 
(a reduced round version of the full Salsa algorithm) are shown to possess the same bias in differential 
probabilities as the full algorithm. As the full key is not necessary to trace backwards for the approximate 
algorithm, this differential bias can be used to distinguish key conjectures that are good candidates for 
the approximate to the true key. Using a combination of second and third order approximation (two or 
three cary bits are recorded, but no others), the authors are able to show that a key can be found in a 
better than exhaustive search. 

Here, we use truncated addition to define a new (and concrete) method to compare the robustness 
of different ARX algorithms. As part of this comparison, each algorithm is assigned an approximation 
of sufficient complexity that any cryptographic attack can be applied to the approximations with sta- 
tistically significant results for the full algorithm. We also provide a direct combinatorial proof of the 
exact probability that truncated addition and ordinary addition will produce the same result, a significant 
improvement to approximations such as "the d th order term may be ignored with probability 1 — 2~ d " 
currently in the literature [5]. 

In Section 2 we describe our truncated addition operation in detail. In Section 3 we explain how 
to encode a hash algorithm as a system of polynomial equations. Section 4 gives some empirical data 
about hash algorithms from the NIST competition [6]. In Section 5 we give some suggestions for future 
research regarding the algorithm Skein. A short conclusion follows in Section 6. 



Fix an integer N. In our applications N = 32 or N = 64, and we represent integers in binary notation 
using N bits. For example, x = YIu^q 1 x $ has binary digits x% € {0, 1}. We will sometimes write 
these digits as an array [xjv-i, %n-2, • • • , ^i, ^o] with the least significant bit in the rightmost position. 

Definition 2.1. Let x = Yn=o x ^ and V = Ei=o V^- We 

can then view x and y as elements of 
Z/(2 N Z) and (Z/2Z) JV simultaneously. Here, Z/(2 7V Z) represents the group of integers with addition 
mod 2 N , while (Z/2Z) represents bitstrings of length N under componentwise addition mod 2. We 
denote the ordinary addition of these integers in Z/(2 Ar Z) by x + y. We denote the bitwise addition of 
these integers 



2. An approximation to addition by TRUNCATED CARRIES 



N-l 



((xi + yi) mod 2) 2* 



i=0 



in (Z/2Z) JV by x®y. 



To relate these operations, we introduce the carry array c(x, y) 



Ya=i Ci{x,y)2\ where 




1 if Xi-i +yi-i +Ci-i(x,y) e {2,3} 
otherwise. 
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Then the usual addition algorithm using carries yields 

x + y = x<+y ® c(x,y). 

Observe that c (x, y) is always by definition. If xat_i = 1 and y^-i = L then we would generate 
a carry at the iVth position, but 2 N = in TLj (2 Nr L) so we omit this. 

Lemma 2.2. We have that q(x, y) = 1 if and only if there exists j < i such that (xj,yj) = (1, 1) and 
for all j < k < i, we have Xk + yk = 1. 

Proof. It follows from the definitions that 

if Ci-i(x,y) = 1 andxj_i + y^i € {1,2} 
if Ci_i(x, y) = l and x;_i + y^\ = 
if Ci_i(x,y) = and Xi-\ + € {0, 1} 
if Ci_i(x, y) = and + = 2. 

Hence, strings of carrying are started by a (xj,yj) = (1, 1) pair, continued by (0, 1), (1,0) and (1, 1) 
pairs, and stopped by a (0, 0) pair. If there are multiple (1, 1) pairs prior to position i, we choose the pair 
with the greatest position j so that (xfc, yk) £ {(0, 1), (1,0)} for all j < k < i by construction. □ 

Observe that in the worst case, we might have to look back N — 1 positions to decide whether a carry 
exists at the most significant position. We now define a version of addition based on a carry array that 
uses the information from at most m prior positions. 

Definition 2.3. Let c^ l \x, y) be 1 if there exists i — m < j < i such that (xj,yj) = (1, 1) and for all 
j < k < i we have x^ + yk = 1. We then define the m-truncated addition of x and y to be 

x+ m y := x@y 0c (m) . 

wherec M = ^ = -i c W 2 i. 

Observe that x+$y = x@y and x+(jv-i)J/ = x + y so truncated addition generalizes and interpolates 
between these operations. 

Example 2.4. If AT = 4 then 

1 1 1 1 

+ 3 1 1 1 +i 1 1 1 

1 

represents 9 + 11 = 20 which is equivalent to 4 mod 2^, and 9 +i 11 = 0, respectively. In the first 
case where m = N — 1 = 3, the carry array is c^ 3 ^ = [0, 1, 1, 0]. In the second case where m = 1, the 
1-truncated carry array is o ' = [0, 0, 1, 0]. We see that 4 1} = since there is no (1,1) pair lying within 

(3) 

m = 1 positions prior to position i = 2. On the other hand, c 2 = 1 since there does exist a (1, 1) pair 
lying within m = 3 positions prior to position i = 2. 

Proposition 2.5. We have x + y = x + m y if and only if the sequence {xi + yi}j^Q 2 does not contain a 
2 directly followed by a contiguous subsequence ofm l's as i runs from to N — 2. 

Proof. This follows by comparing Lemma 2.2 and Definition 2.3. □ 

We are now in a position to determine the probability that x + m y agrees with x + y. Recall that a 
ternary string is one in which each digit is 0, 1 or 2. 



Ci(x,y) = < 



r Ci-i(x,y) 


Ci-i(x,y) 
1 
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ffl 


N = 32-bit 


JV = 64-bit 


A 


(S3 (S2771 % 

UJ.VJZ. 111. JV 


37 10136 % 


5 


80 94266 % 


62 3 1 794 % 


f, 




7Q 5Q7 1 Q % 


7 


95 36429 % 


89 50263 % 


8 

O 


97 7(S3Q2 % 


Q4 731 1 5 % 


9 


98.92764 % 


97.38680 % 


10 


99.48763 % 


98.71143 % 


11 


99.75591 % 


99.36646 % 


12 


99.88404 % 


99.68900 % 


13 


99.94507 % 


99.84747 % 


14 


99.97406 % 


99.92525 % 


15 


99.98779 % 


99.96338 % 


16 


99.99428 % 


99.98207 % 



Table 1 . Probability of x + m y = x + y 



Lemma 2.6. Let P{m) be the ternary string l m 2 = 11 • • • 12. Let p m (i) be the probability that in a 
bitwise sum of uniformly chosen binary strings (of any length > m + 1), the rightmost instance of P(m) 
as a consecutive substring ends at position i. Here, we label the positions from right to left, starting from 
0. Let 

CLm(j) be the probability that a bitwise sum of uniformly chosen binary strings of length j does 
not contain P(m) as a consecutive substring. Then we have the system 

(j'-l)-m 

(2.1) a m (j) = l- ^ Pm(i) 

i=0 

(2-2) p m (i) = Qj a m (i) 

that can be solved explicitly for a m (N — 1). 

Proof. Every instance of P(m) in a ternary string of length j must end at some position, and each 
such event is independent, so Equation (2.1) represents the probability that no instances of P(m) occur. 
Equation (2.2) gives the probability that in the bitwise sum of two uniformly chosen binary strings, the 
rightmost i positions avoid P(m), the next position is a 2 (this occurs with probability 1/4), the m 
subsequent positions are l's (these each occur with probability 1/2), and the remaining positions are all 
unrestricted (so contribute probability 1). □ 

Corollary 2.7. The probability 7r m (JV) that x + m y = x + y where x and y are uniformly chosen N-bit 
integers is a m (N — 1). Some typical values ofir m (N) are illustrated in Table 1. 

Proof. This follows from Proposition 2.5 and Lemma 2.6. □ 



3. A POLYNOMIAL ENCODING AND METRICS FOR ARX ALGORITHMS 

In this section, we consider encoding an ARX hash algorithm by a system of polynomial functions 
over F2, the 2-element field. Here, we mean that the domain, range, and ring of coefficients of these 
polynomials should all be F2. We will see that replacing instances of + by + m reduces the degree of 
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these polynomials, which facilitates analysis of the hash algorithm. At the same time, Table 1 gives some 
evidence that making this replacement will not change the output of the hash function too often. 

Observe that our iV-bit arrays have an action of the symmetric group of permutations on N letters 
given by permuting the entries of arrays. In particular, this action allows us to achieve the bitwise rotation 
operation. We denote this action by a ■ [xjv-i, ■ ■ • , Xo] for a € Sjy. 

Proposition 3.1. Consider two N-bit arrays x = [xn—i, ■ ■ ■ , x±,xo] and 
V = [yN-li • • • , 2/1) 2/o]> and let a € Sjy. There exist polynomial functions in 

¥2[xo,xi, . . . ,XN-i,yo, 2/1, • • • , 2/JV-l] whose evaluation is equal to the ith bit of x y, x + y and a ■ x, 
respectively. Explicitly, we have 

• The ith bit of a ■ [xjv-i, ■ ■ ■ ,xi,xo] is x a ^y 

• The ith bit of [sc/v-l , • ■ ■ , xi, x ] ® [vn-i , ■ ■ • , 2/1 , Vo] is + y%- 

• The ith bit of [xjv-1, . . . ,xi,x ] + m [vn-i, ■ ■ ■ , 2/1, 2/o] is 

min(j,m) i— 1 

{Xi + 2/i) + ^2 ( X i-kVi-k) (Xj + Vj). 

k=l j=i-k+l 

Proof. The first two formulas are straightforward. The last formula follows from Definition 2.3. □ 

Example 3.2. The addition of two 4-bit numbers [x%, X2, x±, xo] + [2/3 > 2/2 > 2/1 > 2/o] can be represented by 
the polynomials 

[(x3 + 2/3) + O22/2) + (xiyi)(x 2 + 2/2) + (x y ){x 1 + yi)(x 2 + 2/2), 
O2 + 2/2) + O12/1) + (x y )(xi + 2/1), {xi + 2/1) + (xoyo), x + y ] 
with maximum degree 4. If we use 2-truncated addition instead, then we obtain 

[(»3 + 2/3) + (^22/2) + (a;iyi)(x2 + 2/2), (x 2 + 2/2) + (ziyi) + (xoyo)(a?i + Hi), 

{xi +2/1) + (x 2/o),x + 2/0], 

which has maximum degree 3. 

We consider an APX hash function to be any finite composition of the operations +, ©, and any 
permutation of the bits in an array. To find a collision for such a hash algorithm, it is helpful to have a 
message that is at least as long as the output. We therefore let n be the maximum number of bits in the 
input (including both the message as well as any key derived from the message), output, or internal state. 

Let Xi be variables representing the bits of input to the hash, so each X{ € {0, 1} for < i < n— 1. We 
include variable bits for the key if it is derived from the message. We then use Proposition 3.1 to build 
polynomials j/j £ W-2[xq,x\, . . . , x n -i] that represent the ith bit of output from the APX hash function. 
We can encode multiple rounds of a sub-algorithm by iterating the functions we obtain, taking the y, L 
expressed in terms of the Xi and using them as input. 

If we do this for two sets of inputs Xi and x' { , say, then collisions correspond to nontrivial solutions of 
the system of polynomial equations 

{yi( x 0, Xi, . . . , Xn-l) = yi(x'o, X±, ■ ■ ■ , X^_ 1 )}" = q 1 . 

Similarly, if we let Zi be variables corresponding to the output of a hash, then a preimage for the output 
(zo, z n -\) corresponds to a solution of the system of polynomial equations 

{2/i(xo,xi,...,x n _i) = ^}"r 1 . 

These systems each have 2n variables and all coefficients are or 1. Therefore, the maximal degree 
among the yi is a primary measure of the complexity of this system, and hence of the APX algorithm. 
Each + operation performed by the algorithm increases the degree, while bitwise permutations do not 
increase it at all. 
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Algorithm 


Internal state size 


Addition bits 


Sensitivity 


Number of + operations 


Skein 


256 


64 


9 


278 


Blake 


256 


32 


10 


1345 


Cubehash 


1024 


32 


13 


6145 



Table 2. Experimental results 



More precisely, we may observe that if / and g are polynomial functions that represent single bits of 
output and deg(/) > deg(g) then 

deg(/ + m g)=m deg(/) + deg(#) 

by the equation given in Proposition 3.1. Therefore, replacing + = +n-i by + m dramatically reduces 
the degrees of the encoding polynomials. 

In principle, algorithms using Grobner bases can be used to solve such systems of polynomial equa- 
tions, see e.g. [4]. Neither the collision nor the preimage attacks we have outlined seem to be currently 
practical, although this could change due to an increase in computer power or more efficient Grobner 
basis algorithms, an active area of research in mathematics. 

Although length of time to find a Grobner basis is difficult to predict, generally it is true that the higher 
the degree of the equations, the longer the algorithm will take, so the degree of a hash algorithm gives a 
good measure of algorithm complexity. 

Definition 3.3. We define the degree of an APX hash function to be the maximum degree of its encoding 
polynomials. 

For ARX algorithms, we have seen that this metric will be dominated by the number of times + is 
used in the algorithm. 

Definition 3.4. Denote an ARX hash algorithm by H, and its output after hashing the message M by 
H(M). Given an ARX hash algorithm H, let H m denote the corresponding algorithm in which all 
instances of + have been replaced by + m . We define the sensitivity of H to be the minimum m such 
that H m (M) = H(M) for at least 0.1 percent of the inputs M of each fixed length. 

The sensitivity measures how vulnerable a given algorithm would be to the types of attacks we have 
outlined above. Notice that the degree and the sensitivity are related because we would expect that 
an algorithm using k addition operations would have H m (M) = H(M) with probability (7r m ) k by 
Corollary 2.7. This assumes that these operations occur independently and that the distribution of inputs 
to the addition operations are uniform. 

4. Examples from the NIST competition 

In this section, we use Monte Carlo experiments to estimate the sensitivity of some NIST competition 
algorithms [6]. We implemented versions of Blake [1] and Skein [3] that use truncated addition, and 
ran them using random inputs to determine how often these modified algorithms agree with the original 
algorithm. Cubehash [2] did not pass the second round of the NIST competition but also provides an 
interesting example for analysis. The results are displayed in Table 2. 

These results were generated using 10 trials with 1,000,000 random inputs each. For these trials, the 
match between Skein using +g and Skein using + was .001% while the match between Skein using 
+9 and Skein using + was .294%. The match between Blake using +io and Blake using + was .106%. 
The match between Cubehash using +13 and Cubehash using + was 3.4319% whereas we found no 
matches at all between Cubehash using +12 and Cubehash using +. 
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These results show that we may replace + by the significantly simpler operation + m (where m = 9, 
10, or 13) and still achieve the same output at least 0.1% of the time. Therefore collisions found in 
the truncated addition versions of the algorithms would translate to collisions in the full algorithms a 
statistically useful percent of the time. 

Remark 4.1. Since Blake uses 32-bit addition, our truncated approximation reduces the degree of each 
addition from 32 to degree 10. On the other hand, Skein uses 64-bit addition so our truncated approxi- 
mation gives a much more dramatic reduction from degree 64 to degree 9. For this reason, we would say 
that Skein is the weaker algorithm. 

Remark 4.2. There are a total of 278 + operations in Skein. If all of the addition operations occurred in 
independently and in parallel, we would expect the probability of a match between Skeing (using +9) 
and Skein (using +) to be (7r 9 (64)) 278 = (0.97387) 278 = 0.000635732714225483. In our Monte Carlo 
experiment, we actually found matches with probability 0.00294. 

While there are permutations included in each round that amount to the addition operations being in 
parallel, many of Skein's additions appear in series. 

Remark 4.3. Blake has 1345 total additions and sensitivity 10, so we would expect Blakeio to match 
Blake with probability (vri (32)) 1345 = (0.99488) 1345 = 0.0010036724. In our experiments, we ac- 
tually found matches with probability 0.00106. This makes Blake almost perfectly efficient via our 
metric. 

Remark 4.4. The corresponding results for Cubehash seem surprising. The program we used to compute 
the sensitivity of Cubehash used only 6145 + operations. (The number of operations in Cubehash 
depends on the length of the message being hashed, so it is important to not use generic figures for this.) 

We would expect Cubehashi 3 to match Cubehash with probability (vri 3 (32)) 6145 = (0.99945) 6145 = 
0.0340243180867048. In our experiments, we actually found matches less often, with probability 
0.00106. 

To understand this result, note that differences between + and + m arise from the addition of two 
numbers with long strings of 0/1 pairs in consecutive entries. If a hash algorithm were unlikely to turn 
inputs into their opposite entry and then add the result to the original, then it is plausible to have such a 
result. In fact, unlike the other hash algorithms, Cubehash uses only odd rotation constants which may 
make it less likely to generate such strings. 

It would be interesting to understand the relationship between 7r m (iV) numberof + °P eratlons and the ex- 
perimental match percentages more precisely. 

5. Future work for Skein 

The heart of Skein is the tweakable block cipher Threef ish, and it is this cipher that we suggest 
analyzing using truncated addition. The basic structure of the Threef ish cipher is four applications of 
a non-linear bijection (defined using add, rotate and xor operations) followed by the addition of a full- 
length subkey. More specifically, Threef ish breaks the internal state of 256 bits into two pairs of 64-bit 
words and applies to each pair an ARX function called MIX. After this, the four words are permuted (the 
same permutation, PERMUTE = (0)(13)(2), being used each time). The rotation constants internal to MIX 
are changed on a schedule for optimal dispersal, and a 'round' in Threef ish is the application of one 
set of MIXs and one PERMUTE. Eveiy four rounds, a 'subkey' of length 256 is added to the current state. 
The full specification of Threef ish calls for 72 rounds, so 18 subkeys added in total. 

Following the scheme outlined in Section 3, a single round of Threef ish can be made to act on a set 
of variables 

(x , ...,x 63 ,y , ...,y 63 , z , z 63 ,w , ...,w 63 ) = (x,y,z,w) =x 
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producing 256 Boolean polynomials in the variables xq, ...,Wq%, one polynomial for each coordinate. We 
call the zth such polynomial /; and denote the full operation on all of these variables f = (fo, fx, ■ ■ ■ , f25e) 
We similarly define the polynomials fi(xo, u>63) m to be the coordinate functions for the truncated ad- 
dition version of Threef ish m in which all ordinary additions are replaced by m-truncated addition. 

Observe that / is a bijection. This is due to the fact that when any add, rotate or xor operation within 
MIX is applied to x, y, one of the two original inputs is retained. This follows from the definition 

MIX(z, y) = (x + y, p{x) ®{x + y)) 

where p is bitwise rotation. 

We first consider the collision attack outlined in Section 3. Since there are no collisions if the step is a 
bijection, we must consider non-bijective rounds. As the non-bijectivity occurs from adding the subkey, 
the first interesting computation would be: 

Let Kq be the first sub-key and K\ be the second. Let / be the ideal generated by 

/(/(/(/(/(x + K Q ) m ) m ) m ) m + K x ) m - /(/(/(/(/(x' + K Q ) m ) m ) m ) m + K!) m . 

A Grobner basis for this ideal would detect the interaction between two non-bijective rounds, yield- 
ing real information about the Skein m algorithm. Although we were unable to reverse enough rounds 
of Skein m to make a practical attack, we did reverse two rounds of the m = 2 carry-approximated 
algorithm on 16-bits by computing a Grobner basis 1 . 

Next, we consider the preimage attack. A preimage attack has no restrictions on the number of rounds 
needed to be useful, as a preimage for even one round is often difficult. Let / be the ideal generated by 

z - /(x + ifo)m, 

corresponding to the system of equations from Section 3. In order to solve for x in terms of z and 
produce a true inverse for one round of the algorithm with truncated addition, we will need to use a lex 
Grobner basis algorithm (with the variables in z < x) to produce an elimination ideal. As the rounds 
of Threef ish m are not identical (the rotation constants are different for each round), an inverse for two 
rounds would require the same analysis for the ideal generated by 

z - /(/(x + K Q ) m ) m , 

and, theoretically, this process could be carried out for all 72 rounds of Threef ish m where the rounds 
containing subkeys would force the introduction of additional variables. Although we do not have a 
practical attack, we were able to reverse three rounds of the m = 2 carry-approximated algorithm on 
12-bits by computing a Grobner basis 2 . 

We believe these approaches will lead to useful computations for others with more computing re- 
sources to explore. 



Using Sage/PolyBoRi on a 2.53 GHz Intel Core i5 MacBook Pro. We also investigated the m = 3 carry-approximated 
algorithm on 24-bits for up to 3 rounds Skein. While the number of polynomials is always 24, and the degrees of these 
polynomials do not exceed 16, the maximum number of terms in each polynomial grows from 10 to 2521 to 236187 for 1, 2 
and 3 rounds of Skein, respectively. We attempted to find a Grobner basis for the ideal generated by these polynomials using 
Sage/PolyBoRi, Macaulay 2, and the Macaulay 2 package BooleanGB [4], but none of these returned results for 2 or more 
rounds. These computations would be more feasible if a parallel version of the Grobner basis algorithm became available. 

Using Sage/PolyBoRi on a 2.53 GHz Intel Core i5 MacBook Pro. We were also able to reverse one round of the m — 2 
carry-approximated algorithm on 16-bits. 
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6. Conclusions 

We have seen how to encode APX hash functions as systems of polynomials over F2. The degree of 
the approximation obtained by using m-truncated addition will be significantly smaller than the degree 
of the original APX function. The sensitivity measures how small we can let m be and still obtain a 
function that reasonably approximates original APX hash function. 

One open question that arises from this work is how to construct differential attacks using the metrics 
we have described. It would also be interesting to examine the encoding polynomials for some of the 
NIST competition algorithms in detail, and compute Grobner bases for them. 
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